TCP session "spoofing"

TCP packets carry sequence numbers used to allow out-of-order stream data to be reassembled in order and to track what data has been received so far in each side of a stream, and if necessary signal retransmission of stream data assumed to have been lost. The TCP protocol specification requires that each side set a random initial sequence number during the connection-opening handshake. However, some implementations have been quite a bit less random than others. If an attacker can open one TCP stream to a target host, then have a good chance of predicting what sequence number might be used in a subsequent connection to the host from another location, the attacker can create a forged TCP packet appearing to be from that other location with sequence numbers that might be accepted by the target host, inserting data into a stream belonging to someone else.

This can give an attacker some chance (although maybe only a small one) of inserting data into some other active session. However, inserting the right data into a security-sensitive session can be dangerous or disastrous (what if somemone managed to insert rm -rf / into a root shell session?). TCP implementations have sometimes beefed up the methods they use for generating initial sequence numbers -- preferably a crytographic pseudorandom number generator (one where even if an attacker can collect and analyze a large number of outputs, they will not be able to predict the next output).

Another defense against TCP spoofing is the use of encrypted protocols like SSH and SSL/TLS; encryption of the TCP stream data makes it much harder to insert arbitrary data into sessions, since the attacker would also have to determine the encryption method and keys in use. However, the successful insertion of random data into an encrypted session can cause denial-of-service if one endpoint detects the invalid data and decides to abort the session.

There's a very nice paper by Michael Zalewski with graphs showing the correlation characteristics of TCP initial sequence number algorithms for various OSes: "Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later".

Next ->

Steve VanDevender
Last modified: Tue Aug 3 13:03:15 PDT 2004